A Chrome password dump tool found in the latest update from Microsoft's Flight Simulator Add-On wrangler, Flight Sim Labs, has virtual pilots up in arms.
The download featured updates to the Airbus A320 model including improvements to the engine crank and flare mode logic and, er... a password harvester for Chrome.
Noted in a …

Re: Idiots...

Re: Idiots...

Re: Idiots...

I suspect that whomever was tasked with adding the thing to the installer was pretty vocal that it would not end up being a good thing, but a middle manager had overheard something that sounded similar in Starbucks and that was the end of that decision-making process.

Re: Idiots...

""This method has already successfully provided information that we're going to use in our ongoing legal battles against such criminals,""

Wow, just....wow. Admission of guilt for computer misuse?

OMG, it gets worse..

"Using this method, Kalamaras writes, the FSLabs team was able to "dump that cracker's information needed for us to gain access to those illicit websites, so we could then forward the information to proper legal authorities." What he and his team found, he writes, was "an entire web of operations" dedicated to pirating multiple flight simulators"

So they also breached other websites with this guys' stolen details? Man they are fucked.

Re: The path to hell

Re: The path to hell

Catching cunts who are ripping off other people's hard work.

Okay, not much sympathy for the pirates either. But if I suspect you're growing drugs and break into your house to check, then I'm still guilty of breaking and entering. Maybe if I had good reason and turned out to be right I'd get off lightly. If I start breaking into all the neighbourhood houses 'just to check' I'm guilty of breaking and entering and being a maniac.

Re: The path to hell

@LewisRage

I wasn't saying that they don't have a right to protect their profits; I was pointing out that their 'good intentions' were not altruistic; they just wanted to make sure people weren't using their products without paying and that goal is nowhere near sufficient justification for what they did.

As I have said at every opportunity in previous comments, I am not a supporter of those who violate copyright and I have little sympathy for them.

BUT, I do not believe that violating copyright is so serious and grave a threat to society that deploying malware and spyware is justified in order to stop it.

Compare this to cases where the FBI have performed similar actions (i.e. installed malware/spyware) to catch people involved in a child-porn ring. THAT situation is serious and a genuine threat to the most vulnerable among us but even then these powers are a step to far in many people's minds.

My point, again, is simply that, if there is some line beyond which the ends justify these means, this situation does not even come close to reaching that mark.

Installing malware/spyware on someone else's computer is a far greater offence than running some software without paying.

Re: The path to hell

@Aladdin Sane

The developer's end goal might seem worthy when you phrase it a certain way - e.g.: to stop people distributing cracking tools for their software - but, more simply, the goal is to protect their profit.

That's what all DRM is, after all.

Looking at this specific case, it seems apparent that, while the behaviour of the cracker(s) is clearly illegal, the closed, 'in group' nature of the distribution (of the cracking tools) implies that the damage could not have been overly large.

Of course, the software itself is relatively niche but still, this cracking operation seems to be available only to a select few and not anyone who just searches online for "give me tha free warez!!!"

What we have here is a classic case of a digital company believing that they have some intrinsic right to do whatever it takes to make sure everyone is paying them.

In this case, they massively over-reached given the likely scope of the problem but the point is that this kind of behaviour is inherently poor form (ignoring the legality) and crosses a line (distributing spyware) that shouldn't be crossed no matter the motivation.

They're not first and won't be the last.

Even Blizzard have installed spyware in World of Warcraft. Anyone remember the whole spat over "Warden"? Admittedly I think that was to catch hackers and bots rather than DRM feature, but what a sledge-hammer to crack a nut?

I think the lesson here is - if you think you have a piracy or DRM issue then you'd better lawyer up before you even start coding your solution. Developers have to start putting privacy first before guarding their intellectual property and it shouldn't take a grey suit to keep your morale compass pointing in the right direction, but if that's what it takes.

I swear the speccy twats think they're god and can code what they like and put whatever they want on anyone's computers. Utter wuckfits! Let them feel the wrath of GDPR.

Re: They're not first and won't be the last.

"Google says it is a European directive, that doesn't have the same dissuasive power. It only frightens the bean-counters."

Except that an approved and enacted European Directive means that each member has to enact into law the said Directive. It only sounds like guidance, but in fact it is the law. The guidance bit can seem deceptive in terms of force of law, but the term "guidance" is to direct EU member governments on what is needed in law so there may be some variations locally but the meat of the directive is actual law across the EU, Google is well aware of the situation. They have lawyers experienced in dealing with the EU and EU law.

Re: They're not first and won't be the last.

Fun (well, tedious, but important) fact about the GDPR, it is an EU regulation, and applies directly in member states without having to be transcribed into national law. You're right a directive has to be enacted by member states; the previous Data Protection Directive became the Data Protection Act in the UK. The advantage of a regulation is things are harmonised, IANAL, but I guess disadvantages are it being more difficult to integrate them with existing national law (legislation may still be required) and people worrying about sovereignty.

Re: They're not first and won't be the last.

It sounds like Greece doesn't currently have any such legislation, though, and in general legislation isn't retroactive in effect. If that's the case, they only have to worry about the GDPR if they were still shipping this after Greece put it into effect in law, which is going to take at least a year or so I would assume.

Re: They're not first and won't be the last.

You mean Blizzard, the company that insisted that their two flagship non-MMO properties - Diablo and Starcraft - would require constant online connectivity to even play single player?

The problem - as you have identified - is really the elevation of DRM and "intellectual property protection"* above the privacy of the customer and their control over their own computer.

Software companies will continue doing this unless either their ability to do so is restricted by legislation or the community - en masse - stops buying their products. I don't which is less likely. Certainly there is no will by governments for the former and the massive acceptance of platforms like Steam shows there is apparently no will by consumers to do the latter.

* - The term 'intellectual property protection' is not really accurate, however; what they are attempting to protect is their PROFIT. Protecting you intellectual property is covered by patents and trademarks and so forth - someone running a copy of your software does harm your 'intellectual property' - just your (potential) profits.

It also highlights a common industry deficiency. Many developer interviews find time for trivia ("what is a closure?") that can be looked up in 5 seconds but completely fail to inquire about fundamentals like knowledge of the Computer Misuse Act and Data Protection Act etc. It's like hiring an architect based on his knowledge of the aesthetics of post-modernism and forgetting to ask if he's ever heard of building regulations and planning permission.

and some say that I'm paranoid

Certain apps, including some games, get installed inside one of my VMs which do NOT have network access except when _I_ say. Yes, there can be a performance hit, and some apps refuse to install in the VM at all, but I can live with the lower performance and I can live without the refuseniks. Flight Sim X dates from 2006. Given the improvement in hardware since then, despite Spectre/Meltdown, I can get very nice performance in the VM. As the VMs in question aren't supposed to connect to any network except on _my_ say-so, I don't install web browsers on them. IE and/or Edge will be there, of course, but I don't use either, so I don't care. I don't usually use Chrome. Firefox, yes. Safari, yes. Opera, yes. Vivaldi, yes. Chrome, no. And I don't store passwords, etc., on the VMs, because I don't connect to networks on those VMs and therefore I don't need passwords. What would happen if I had installed this 'package' would have been that I'd have spotted it trying to call home, and failing, and I'd have yanked the 'package' so fast that there'd have been Cherenkov radiation.

Wasn't there some brouhaha about Google digging in its heels and flatly refusing the requests of many of their customers to include a master password and encrypted password store like Firefox has? Something about the Google guy throwing a fit, telling the people that demanding something doesn't mean they get it, so stop asking and STFU? Something about Google saying that there is no value in a master password setup, and that their customers who think otherwise are wrong?

These are Google's feelings: "We understand that many of you want a master password for your saved passwords in Google Chrome. ... Currently, the best method for protecting your saved passwords is to lock your computer whenever you step away from it, even for a short period of time. We encrypt your saved passwords on your hard disk. To access these passwords, someone would either need to log in as you or circumvent the encryption. ... Please know that your security is our highest priority, and our decision not to implement the master password feature is based on our belief that it creates a false sense of security instead of actually providing a strong security benefit."

Apparently 'malware is somehow present on your PC' doesn't count because one type of malware is a keylogger, and therefore giving all malware access to your Chrome passwords is acceptable.

Re: Have they forgotten about Sony?

I can remember friends of mine having issues ripping CDs. I thought it was odd, as I wasn't having any problems at all.

It was only a little later when I realised I'd gotten into the habit of holding the Shift key down when sticking a CD into the drive (to avoid annoying autorun programs), that it had become muscle memory. So I'd by accident, avoided installing Sony's 'software' from the CD, and the disks copied/ripped just fine for me!

Re: Have they forgotten about Sony?

They are probably Android developers as well

Android developers, and ad-targeting firms seem to think that grabbing as much as they can off your device is fair game.

Don't be surprised at the many ad-brokers that slurp your exact location and account info, even if you have location services switched off. Many also grab a list of all your installed apps, and all sorts of other stuff that in aggregate could be used to identify you - and other stuff than frankly they have no business slurping. This equally applies to "respected" companies, and apps which are paid for, and contain no adverts (*analytics* cough)

Just go to any of the ad companies websites - they proudly boast about it.

But back to our industry in general..... How has this happened? A few years ago, if any software phoned home to do anything other than download updates or join a multi-player game etc. there would be hell to pay.

The tracking is actually the main reason I've rebelled against ads. TV companies have no analytics. - Web advertisers can get precise viewing counts and times - they should have been grateful for that. Common-domain ad-serving is JUST to get around the privacy protections in the cookie specification... So why is it deemed ok to do it?